From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Federal Efforts to Improve Protection of Critical
Infrastructure After the Colonial Pipeline Attack

Description: The 2021 cyberattack on the Colonial Pipeline disrupted
fuel supplies in the Southeast United States and showed us just how
vulnerable our nation's infrastructure is to these kinds of threats. The
Cybersecurity and Infrastructure Security Agency (CISA) is responsible
for overseeing the protection of critical infrastructure. What steps has
CISA taken to prevent future attacks? We find out more from GAO's Tina
Won Sherman--

an expert on critical infrastructure protection. 

Related GAO Work: GAO-22-104279, Critical Infrastructure Protection:
CISA Should Improve Priority Setting, Stakeholder Involvement, and
Threat Information Sharing

Released: March 2022

[Tina Won Sherman:] After the Colonial Pipeline incident, CISA worked
with the Transportation Security Administration to help prevent future
ransomware attacks.

[Music]

[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report--

your source for
news and information from the U.S. Government Accountability Office. I'm
your host, Holly Hobbs. The 2021 cyberattack on the Colonial Pipeline
disrupted fuel supplies in the Southeast United States and showed us
just how vulnerable our nation's infrastructure is to these kinds of
attacks. The Cybersecurity and Infrastructure Security Agency, or CISA,
is responsible for overseeing the protection of critical infrastructure
like the Colonial Pipeline. So what steps has CISA taken to prevent
future attacks? Today, we'll find out more from GAO Director Tina Won
Sherman, an expert on critical infrastructure protection. Thanks for
joining us. 

[Tina Won Sherman:] Excited to be with you, Holly. 

[Holly Hobbs:] So, Tina, what do we mean by critical infrastructure? And
how likely is another attack?

[Tina Won Sherman:] Critical infrastructure are the assets, systems and
networks that underpin much of what we rely on in our everyday lives. So
not just oil and gas pipelines, but also food manufacturing and storage
facilities, cell towers and satellites, banks, hospitals, and much more.
There are 16 sectors that cut across all of this critical infrastructure
and attacks are pretty frequent. So CISA works with the owners and
operators of these critical infrastructure to help prevent attacks
against the critical infrastructure, not only from foreign adversaries,
but from domestic actors, including insider threats. 

[Holly Hobbs:] And what has CISA done since the Colonial Pipeline
attack?

[Tina Won Sherman:] After the Colonial Pipeline incident, CISA worked
with the Transportation Security Administration, which oversees pipeline
security, to issue two security directives for pipeline owners and
operators to help prevent future ransomware attacks. CISA also issues
advisories to all owners and operators on how to address other types of
vulnerabilities before an incident occurs. And then also how to respond
to incidents once they occur. Collaboration and information sharing is
key to CISA's ability to help ensure the security and resilience of our
nation's critical infrastructure. 

[Holly Hobbs:] So it seems like having a good list of critical
infrastructure assets, systems and networks, and then prioritizing that
information would be important. And it's something CISA's working on,
right? What can you tell us about those efforts? 

[Tina Won Sherman:] Yeah, CISA has a number of different ways that it
prioritizes its critical infrastructure, and we took a look at two
primary ways that it does so that are nationwide in scope. The first is
the National Critical Infrastructure Prioritization Program. This
program came out of the September 11 attacks and through the program,
CISA develops a list of classified critical infrastructure that --

if
destroyed--

 would have nationwide consequences. States are actually asked
to provide on an annual basis input to the program. So they can nominate
and they can also remove critical infrastructure. CISA also has its
national critical functions, and in 2019 it issued a list of 55 of those
functions, which if disrupted could have a debilitating effect on the
nation's security, public health, safety, or on the economy. And
according to CISA, the framework that houses these functions, help it
better assess how the failures across these various assets, systems and
networks would cascade across the 16 infrastructure sectors. 

[Holly Hobbs:] So did we find any gaps in their efforts? 

[Tina Won Sherman:] We did. We found several. For the prioritization
program, most of the CISA officials and all of the stakeholders that we
spoke with said that the program's list is no longer relevant or useful.
And this is in large part due to the fact that those officials and
stakeholders cited cyberattacks as the most prevalent threat to critical
infrastructure, but those types of threats were not reflected in the
program's list. We also found that only 14 states in the last fiscal
year provided any input to either add or remove its critical
infrastructure. 

[Holly Hobbs:] What about the framework that's meant to assess how
failures could cascade across those 16 sectors that you talked about?

[Tina Won Sherman:] For the functions framework, we learned that most of
the CISA officials and the stakeholders that we spoke with didn't really
understand how CISA's framework would be used to prioritize critical
infrastructure, were unclear about where their particular organization
sat within the framework, and didn't understand what the potential
impact on their program and operations could be. We also found that CISA
hasn't documented goals and strategies to outline the intent of how it
plans to use this framework.

[Music]

[Holly Hobbs:] So Tina just told us that CISA has taken steps to better
protect critical infrastructure--

like our pipelines and water supply--

from
cyberattacks. But that we found some gaps in these efforts, including
outdated lists that don't reflect current threats. So Tina, what could
CISA do to improve its efforts? 

[Tina Won Sherman:] Well, Holly, we made several recommendations to
CISA. We recommended that CISA strengthen its prioritization program by
revising its list to reflect current threats and to increase state input
in the development of its list on an annual basis. We also recommended
that for its functions framework, CISA incorporate as part of its
implementation of the framework, stakeholders as part of that process,
and that it document goals and strategies for what it intends to do with
the framework.

[Holly Hobbs:] And last question, what's the bottom line of this report? 

[Tina Won Sherman:] Over the past few years, CISA has made strides in
protecting our nation's critical infrastructure, and by implementing our
recommendations could help defend owners and operators from the range of
cyber and physical attacks that many of them are likely to face.

[Holly Hobbs:] That was Tina Won Sherman talking about GAO's new report
on protecting our nation's critical infrastructure. Thanks for your
time, Tina. 

[Tina Won Sherman:] Thanks so much, Holly. 

[Holly Hobbs:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts, Spotify or
wherever you listen, and make sure to leave a rating and review to let
others know about the work we're doing. For more from the congressional
watchdog, the U.S. Government Accountability Office, visit us at
GAO.gov.